Keycloak OIDC not supported

[b-d-e]

Release: wandb/local:0.58.1

I'm trying to configure a local instance of wandb to use Keycloak as an OIDC provider, but struggling to get it to work either through the web admin settings or by setting docker enviroment variables.

I believe it's because of the way keycloak uses 'realms' - so where most OIDC providers will use a URL of the schema https://{DOMAIN}/users/sign_in keycloak uses something like https://{DOMAIN}/realms/{REALM_NAME}/protocol/openid-connect/auth?client_id={CLIENT_ID}.

Other OIDC clients (e.g. Outline) allow more expressive docker environment variables which work with Keycloak, e.g:

OIDC_AUTH_URI=https://{DOMAIN}/realms/{REALM_NAME}/protocol/openid-connect/auth
OIDC_TOKEN_URI=https://{DOMAIN}/realms/{REALM_NAME}/protocol/openid-connect/token
OIDC_USERINFO_URI=https://{DOMAIN}/realms/{REALM_NAME}/protocol/openid-connect/userinfo

But if I try to set these for wandb, the gorilla service still tries to use the old url schema and panics as it does not exist:

{"level":"INFO","time":"2024-09-07T15:44:41.254942969Z","info":{"program":"gorilla","source":"github.com/wandb/core/services/gorilla/cmd/gorilla.go:1409","pid":1583},"data":{"dd.service":"gorilla","dd.version":"18d22e645275697ba614e1d1ea139452c4bed39f"},"message":"parsed schema","dd.trace_id":""}
panic: Get "https://{DOMAIN}/users/sign_in": stopped after 10 redirects

goroutine 1 [running]:
github.com/wandb/core/services/gorilla/cmd.(*gorillaCommander).MainCmd(0xc00188db00, {0xc00188dbe0, 0x1, 0x1})
        /home/circleci/go/src/github.com/wandb/core/services/gorilla/cmd/gorilla.go:1528 +0xccb6
main.main()
        /home/circleci/go/src/github.com/wandb/core/services/gorilla/cmd/megabinary/main.go:75 +0x431

Apologies if this is implemented and I am missing it in the docs, but am struggling to find anything.

[exalate-issue-sync[bot]]

Bonnie Shen commented: Hello Benjamin: Thanks for writing to us! Here's some resource to configure Keycloak as OIDC provider. Please give it a try and let us know if it works for you. Best, W&B

[exalate-issue-sync[bot]]

Bonnie Shen commented: Request #75109 "Keycloak OIDC not supported" was closed and merged into this request. Last comment in request #75109:

exalate-issue-sync[bot] commented: Bonnie Shen commented: Hello Benjamin: Thanks for writing to us! Here's some resource to configure Keycloak as OIDC provider. Please give it a try and let us know if it works for you. Best, W&B

[exalate-issue-sync[bot]]

Bonnie Shen commented: This request was closed and merged into request #75110 "[Local (Wandb Server)] Keycloak ...".

[b-d-e]

Hi Bonnie,

Thanks for getting back to me - glad to see there are resources available to help! Sorry but I'm not seeing a link or any attachments here - could you please resend?

Thanks, Benjamin

On Mon, 9 Sept 2024 at 16:23, exalate-issue-sync[bot] < @.***> wrote:

Bonnie Shen commented: Hello Benjamin: Thanks for writing to us! Here's some resource to configure Keycloak as OIDC provider. Please give it a try and let us know if it works for you. Best, W&B

— Reply to this email directly, view it on GitHub https://github.com/wandb/server/issues/142#issuecomment-2338417750, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEPAENGZX3RSBUEFK4T5XGDZVW4NFAVCNFSM6AAAAABN2D73EWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMZYGQYTONZVGA . You are receiving this because you authored the thread.Message ID: @.***>

[boshwandb]

Hi @b-d-e ! It seemed like my link didn't get carried over from my backend. I'm attaching it here directly in the comment. Sorry for the inconvenience.

[b-d-e]

Thanks @boshwandb! Is that a private repo? I'm getting a 404.

[boshwandb]

I apologize, it is currently a private repo. Let me list the instructions here in the next comment. Your patience is greatly appreciated.

[boshwandb]

Keycloak Configuration

1. Create Keycloak ream

This is optional and you can use the master realm, but it's highly recommended to work with realms.

1. Create and Configure Client

:warning: Replace all the values with valid values for your organization.

Next step after create the realm, is setup the client, which is the configuration to be used by the application that will authenticate with Keycloak.

The client type myst be OpenID Connect

• Create client

• Configure the client

Keep the Standard flow and the Implicit flow enabled.

• Set W&B URL's

For this configuration, the most important URL is the Valid redirect URLs. This is the callback URL that Keycloak will call to send W&B the authentication token.

1. Configure OIDC Scope

When the client type OpenID Connect is created, Keycloak already set a default OIDC scope that contain all required claims. However, some Keycloak configuration may set different claims for OIDC scopes. For W&B, one of the most important claims is the email, so regarldess the scop you will use, ensure the claims email and profileare set to Default

1. Enable PKCE

Still in the client configuration, navigate to the Advanced tab and click on Advanced Settings

Search for the drop down menu Proof key code exchange and select S256

Save the configuration.

1. Add user and/or groups

Now the next step is assign users and/or groups to the newly created realm to allow users authenticate using the also newly created wandb client.

W&B Configuration

The W&B configuration will depend on how did you installed the platform. For this guide, I will cover the configuration using the W&B helm chart and the configuration via W&B Operator console.

• Helm Cart

As highlighted in the above link, you will need to add the Keycloak configuration according to the example below in the values.yaml you used to install W&B.

sso:
  enabled: true
  # Automatically provision a user if SSO auth succeeds
  autoProvision: true
  clientId: wandb
  issuer: http://keycloak.home.lab/realms/wandb/
  # Can be implicit or pkce
  method: pkce

Once the values.yaml is configured, apply the new configuration and test it.

• Operator Console

Navigate to https://<WANDB FQDN>/console/settings/auth and input Keycloak data.

Login Screens

W&B Login

Login redirected to Keycloak for Authentication

In case the Keycloak user is also new, it may need to change the password depending how Keycloak is configured

After SSO authentication, user is created in W&B

Login is complete

[exalate-issue-sync[bot]]

Bonnie Shen commented: Hi Benjamin,

We wanted to follow up with you regarding your support request as we have not heard back from you. Please let us know if we can be of further assistance or if your issue has been resolved.

Best, Weights & Biases

[b-d-e]

Hi Bonnie. I have had a quick look (on docker, not with helm), though was hitting another issue - but I think that might be an networking problem my end. Do you have a comprehensive list of the environment variables a docker instance ofwandb/local takes? There's this list, but that isn't exhaustive (e.g. there's some GORILLA vars that aren't in there)

[boshwandb]

Hi @b-d-e ! Does this one help?

[exalate-issue-sync[bot]]

Bonnie Shen commented: Hi @b-d-e,

We wanted to follow up with you regarding your support request as we have not heard back from you. Please let us know if we can be of further assistance or if your issue has been resolved.

Best, Weights & Biases

[exalate-issue-sync[bot]]

Bonnie Shen commented: Hi @b-d-e, since we have not heard back from you we are going to close this request. If you would like to re-open the conversation, please let us know!